Social Engineering Threatens Windows 11 Upgrade

Windows 11, the latest version of the Microsoft Windows operating system (OS), was released in October 2021 with a broad upgrade deployment hitting in late January. Between media related to the OS release and many systems pushing out recommended checks for upgrading, users were encouraged to check out the new version. For hackers, it was the perfect time to employ social engineering tricks to lure users into installing malware via a fake installer.

Hewlett-Packard (HP) was the first to identify the malicious software. On January 27, the day after Windows posted their announcement of the OS’s final upgrade phase, hackers registered the domain “windows-upgraded.com” to an organization located in Moscow, Russia. This housed a fake installer containing malware, HP’s Threat Research Blog reports. HP refers to this as a “topical lure” – since this was a hot topic at the time, that can be easily used to take advantage of users’ expectations and interest. Creating domain names that are similar to existing and trusted domains is a popular form of social engineering. Many users don’t look that closely at the URL they are visiting – especially if that link is found and clicked on via a search engine.

“The attackers copied the design of the legitimate Windows 11 website, except clicking on the ‘Download Now’ button downloads a suspicious zip archive called Windows11InstallationAssistant.zip,” reports Patrick Schläpfer for HP. “The file was hosted on Discord’s content delivery network.”

The malware used to create the malicious software is RedLine Stealer, an inexpensive and widely available malware that gathers information from users’ browsers, including saved credentials, autocomplete data, and credit card information. HP did not share any details on how many people may have been impacted by the malware.

HP quickly discovered that the compressed installer download was only 1.5 MB, but once decompressed, expanded to 753 MB in size, showing a far larger compression rate than typically seen with executable files. HP says this is because the .exe contained a large quantity of highly compressible padding.

“One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware,” states Schläpfer.

HP shares that a similar attack was conducted back in December 2021, which utilized RedLine Stealer to disguise malware within a Discord installer. In that instance, the hackers bought “discrodappp.com” and implanted malware into the app’s install software.

“In both campaigns, the threat actor used fake websites mimicking popular software to trick users into installing their malware, registered the domains using the same domain registrar, used the same DNS servers, and delivered the same family of malware,” says Schläpfer.

Both instances highlight the importance of ensuring cybersecurity professionals are aware of the latest updates to frequently used systems and software. It is also vital that cybersecurity departments ensure that the employees within their organizations are educated on knowing what resources to trust when it comes to installing or upgrading software – both personally and professionally.

Want to learn more about cybersecurity? View the full list of bachelor’s, master’s, and doctorate degrees in cyber and information security. Many courses are available both on-campus and online. To learn more about Capitol Tech’s degree programs, contact admissions@captechu.edu.